Categories

What’s up with Sitemeter?

It has been a busy day. Lots of interesting things have happened over the course of the last few hours. One interesting issue which we faced today was when trying to help out on badwarebusters.org today. It seems that one of our scans popped up a script hosted by Site Meter as potentially malicious. This gets interesting because this kind of code acts as a tracker to measure how many hits a site gets, where the users are coming from, how much time they spend on a page etc. The important point being this code is deployed on tons of websites. Some of the interesting websites I visit also have this code. I was intrigued to see why this popularly used counter was popping up as suspicious.

We had a look at our logs, local dumps and analysis and saw that the Site Meter script was pushing in an iFrame pointing to dg.specificclick.net using a body-onload event to trigger the event. Interestingly, dg.spe cificclick.net, has been associated with multiple cases of Internet misdemeanor. [0][1][2][3][4]

It is surprising to see companies that have widely established customer bases to link to questionable content.

The code from the Site Meter script is presented below, the offending part is clearly visible.

Site is listed as suspicious – visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 6 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-11-24, and the last time suspicious content was found on this site was on 2009-11-24.
Malicious software includes 8 trojan(s), 2 worm(s). Successful infection resulted in an average of 16 new process(es) on the target machine.